7 Cyber Issue Trends You Need To Pay Attention To
By John Oncea, Editor
A forecast from a risk mitigation and response solution company identifies seven trends that need to addressed as we enter 2014
Ninety-four percent of healthcare organizations surveyed in the most recent Ponemon Institute Benchmark Study on Patient Privacy & Data Security reported at least one data breach in the past two years, and nearly half experienced more than five in the same time frame. Ponemon estimates data breaches cold be costing the healthcare industry as much as $7 billion annually.
Kroll, a risk mitigation and response solution company, recently released the results of its third annual Cyber Security Forecast, “A prediction of the most significant cyber issues organizations will confront in 2014. The latest forecast highlights seven trends identified by Kroll and suggests that a changing tide in cyber standards, both social and legal, will require organizations to take stronger actions and safeguards to protect against reputational, financial and legal risks.”
The trends Kroll predicts healthcare needs to understand are:
- NIST and similar security frameworks will become the de facto standards of best practices for all companies. “This trend will move the U.S. in the direction of the EU, where there is a greater recognition of privacy as a right,” said Alan Brill, senior managing director at Kroll. “As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations. To minimize their risk, organizations will have to get smart on these standards and make strategic business decisions that give clients and customers confidence that their information is protected.”
- The data supply chain will pose continuing challenges to even the most sophisticated enterprises. “Kroll has responded to breaches where subcontractors not only failed to provide timely notice that they were breached, but also refused to cooperate with the investigation. Companies should know who they are giving their data to and how it is being protected,” said Tim Ryan, managing director and Cyber Investigations practice leader. “This requires technical, procedural, and legal reviews.”
- The malicious insider remains a serious threat, but will become more visible. “There’s a tremendous amount of data compromised today where the act is never discovered or disclosed. People discount the insider threat because it doesn’t make the news. Instead, we see headlines about external credit card breaches and theft of personally identifiable information, because regulations mandate accountability and punishment is expensive. The insider threat is insidious and complex. Thwarting it requires collaboration by general counsel, information security, and human resources. SEC breach disclosure of “material losses” may be the model for rules requiring a company to be more transparent and answerable for allowing bad actors to go unpunished,” said Ryan.
- Corporate board audit committees will take a greater interest in cyber security risks and the organization’s plans for addressing them. “Organizations recognize that it’s their duty to protect against the loss of information and its associated risks,” said Brill. “As corporate boards carry out their fiduciary responsibilities, they must also protect the company from possible shareholder lawsuits that allege the company's cyber security wasn't at a level that could be reasonably viewed to be ‘commercially reasonable’ and that incident response plans weren't in place to mitigate the risk. The challenge they face is determining what is a reasonable level of security and response, and who should make that call – is it their IT team, an industry expert, an independent third party?”
- Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster. “Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion. Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track, and analyze events,” said Ryan. “It takes more money and time to scramble at the last minute. We’ve seen a dramatic improvement in response technology over the last year. Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response. There’s no reason not to be prepared.”
- New standards related to breach remediation are gaining traction and will have a greater impact on corporate data breach response. “The notion that credit monitoring is a panacea for all data breaches is misguided. When you couple the myriad types of sensitive information with the multitude of ways an identity can be stolen and used fraudulently, there are many instances where credit monitoring will not be helpful to a breach victim at all, including medical identity theft, criminal impersonation, employment and tax fraud, etc.,” said Brill. “That’s not to say that credit monitoring is useless because it’s a valuable tool when it aligns with the type of data exposed. Rather, companies will need to gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to the affected consumers.”
- As Cloud and BYOD adoption continues to accelerate, greater accountability will be required for implementing policies and managing technologies. “Up until now, cloud and BYOD adoption has been like the Wild West – uncharted, unregulated, and few restrictions. However, we’re seeing courts issue rulings that include significant penalties where discovery, disclosure and other legal obligations aren’t being met because of the use of these technologies,” said Brill. “While it’s implausible to anticipate every possible risk presented by the use of the cloud and BYOD, companies that have integrated these technologies into their corporate policies, IT security, and risk management plans will be much better prepared to fulfill their legal obligations. Organizations must realize that even if they don’t want to deal with this, they’re not going to have much choice.”
Healthcare IT News asked Brill to determine the biggest security challenge facing healthcare organizations in 2014, to which Brill said, “Keeping up with the requirements set by HIPAA/HITECH as HHS gains more experience through its OCR audit programs. We see that many organizations need to take some time to make sure that their policies and standards are in line with the specific wording called for in the final omnibus rule. This is a way of avoiding problems that are easily avoided. The second part is asking the question: ‘How do we know we are actually doing what we say we're doing in our policies and procedures?’
“That's a question that the auditors will almost always ask, and to the extent you have a way of collecting the evidence that you're complying with your rules, not only will you be ready, but you will know you're operating in compliance with the rules.”
Brill also touched on how healthcare stacks up to other industries when it comes to keeping data safe, how the new HIPAA Omnibus rule will change how healthcare organizations and their business associates should be thinking about patient data, and how much of a risk hacking poses to healthcare IT.
Want to publish your opinion?